Elliptic Curve Cryptography in OpenSSH

I've been meaning to add this as a post, as it's light and quick, but as the release of OpenSSH 5.7, Elliptic Curve Cryptography has been implemented. Why should you care? The generated keys are substantially smaller, the algorithm is faster and lighter, giving a break to slower CPUs and the cryptanalysis hasn't shown any substantial weaknesses, unlike traditional RSA or DSA.

To generate an ECC SSH key for your host, you need to use the "ecdsa" encryption type. The bit strengths are 256, 384 and 521. Generally speaking, the equivalent DSA keys would require 4-times the bit strength of ECDSA keys. In other words, a 256-bit ECDSA key is equivalent in strength to a 1024-bit DSA key.

Pull up your terminal, and type:

% ssh-keygen -t ecdsa -b 256

Go through the prompts, and you should have your generated private and public keys. Then, copy the key over to your remote server, and start using:

% ssh-copy-id -i ~/.ssh/id_ecdsa.pub user@server.tld

Of course, the remote server does need to support ECC in order to take advantage of ECDSA keys, which means it too needs to be running OpenSSH 5.7 or later. Here's a result of the key sizes:

As you can clearly see, ECDSA keys are substantially smaller compared to their DSA counterparts and a bit smaller than equivalent RSA keys. Also, it should be mentioned that when setting up the OpenSSH server on a new host for the first time, you can also choose to have ECDSA host keys generated for the server, rather than the standard RSA or DSA keys.

I don't recommend wiping your existing RSA or DSA keys in favor of ECDSA quite yet. Plenty of OpenSSH and proprietary SSH servers exist that do not support ECC. Thus, your newly generated ECDSA key won't work, even if you copy it to the authorized_keys file. However, if you have the servers that support it, then why not give it a go, and see what you think?

When I'm talking about the algorithm, I'm referring to the encryption/decryption algorithm. ECC doesn't depend on S-boxes, so it can achieve higher cycles per byte than most other algorithms.

Also, because it's based on the algebraic properties of elliptic curves, rather than factoring large primes, the math is an order of magnitude lighter to compute, thus it's great for embedded systems, lower-end CPUs, etc. Even the LOC to implement ECC in any specific language is less than traditional AES, 3DES, RSA, DSA and other algorithms.

Only the German standards body, BSI, thinks that a 256-bit ECC key is equivalently strong to a 2048 DSA key. The other researchers range from 3072 up to 4440 bit DSA keys as being as strong as 256-bit ECDSA keys!

If both server and client support ECC and are configured with ECDSA keys, but you still choose to authenticate a session with a password rather than with public key authentication, is ECC still used by default for the key exchange?